Thursday, March 27, 2008

Check Linux distribution

以往帽客都是去cat /etc/issue這個檔案來查看是那個Linux的版本,但事實上這個檔案是可被修改的。今天找到了一個能100%確認是那一套Linux distribution的指令了,lsb_release,以下列出了cat /etc/issue與lsb_release去確認Linux distribution的結果:

1. cat /etc/issue
[root@server2 tmp]# cat /etc/issue
CentOS release 5 (Final)
Kernel \r on an \m

2. lsb_release
[root@server2 tmp]# lsb_release -a
LSB Version: :core-3.1-ia32:core-3.1-noarch:graphics-3.1-ia32:graphics-3.1-noarch
Distributor ID: CentOS
Description: CentOS release 5 (Final)
Release: 5
Codename: Final

Tuesday, March 18, 2008

selinux on RHEL5.1

今天在RHEL5.1中,將selinux enable起來,在此分享一下心得:

1. Enable selinux:
[root@dns html]# vi /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
SELINUX=enforcing
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted
-> 將SELINUX=disabled改成SELINUX=enforcing,並重新開機。

2.查看目前selinux的狀態:
[root@dns html]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 21
Policy from config file: targeted
如果要查詢到更多的資訊,可加上 -v參數:
[root@dns html]# sestatus -v
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 21
Policy from config file: targeted

Process contexts:
Current context: root:system_r:unconfined_t:SystemLow-SystemHigh
Init context: system_u:system_r:init_t
/sbin/mingetty system_u:system_r:getty_t
/usr/sbin/sshd system_u:system_r:unconfined_t:SystemLow-SystemHigh

File contexts:
Controlling term: root:object_r:devpts_t
/etc/passwd system_u:object_r:etc_t
/etc/shadow system_u:object_r:shadow_t
/bin/bash system_u:object_r:shell_exec_t
/bin/login system_u:object_r:login_exec_t
/bin/sh system_u:object_r:bin_t -> system_u:object_r:shell_exec_t
/sbin/agetty system_u:object_r:getty_exec_t
/sbin/init system_u:object_r:init_exec_t
/sbin/mingetty system_u:object_r:getty_exec_t
/usr/sbin/sshd system_u:object_r:sshd_exec_t
/lib/libc.so.6 system_u:object_r:lib_t -> system_u:object_r:lib_t
/lib/ld-linux.so.2 system_u:object_r:lib_t -> system_u:object_r:ld_so_t

3.查看selinux對daemon的booleans,以查尋httpd為例:
[root@dns html]# getsebool -a | grep httpd
allow_httpd_anon_write --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_sys_script_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_network_connect --> off
httpd_can_network_connect_db --> off
httpd_can_network_relay --> off
httpd_disable_trans --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> on
httpd_rotatelogs_disable_trans --> off
httpd_ssi_exec --> off
httpd_suexec_disable_trans --> off
httpd_tty_comm --> off
httpd_unified --> on

如果要設定booleans,可利用setsebool,比如說當我不想要selinux控管httpd時,可以這樣做:
[root@dns html]# setsebool -P httpd_disable_trans 1
[root@dns html]# getsebool -a | grep httpd_disable_trans
httpd_disable_trans --> on
其中0代表off,1代表on,而-P的參數是代表下次開機時套用新的boolean值。

現在來個狀況練習一下,在selinux enable的狀況下,允許匿名的ftp account可以get與put file,並且可以overwrite。

1. 設定vsftpd(請參考以下的configure):
[root@dns html]# cat /etc/vsftpd/vsftpd.conf | grep -v "^$" | grep -v "^#"
anonymous_enable=YES
anon_other_write_enable=YES
local_enable=YES
write_enable=YES
local_umask=022
anon_upload_enable=YES
anon_mkdir_write_enable=YES
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES

在以往沒有開啟selinux時,已經達成了題目需求,但當selinux開啟時,是會踢到鐵板的,看一下以下的示範吧:
chiu-lawrencede-ibook-g4:~ Lawrence$ ftp 10.5.30.147
Connected to 10.5.30.147.
220 (vsFTPd 2.0.5)
Name (10.5.30.147:Lawrence): ftp
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd pub
250 Directory successfully changed.
ftp> put backup.sh
local: backup.sh remote: backup.sh
229 Entering Extended Passive Mode (|||50891|)
553 Could not create file.
ftp>

查看一下ftp的booleans:
[root@dns pub]# getsebool -a | grep ftp
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> off
ftpd_disable_trans --> off
ftpd_is_daemon --> on
httpd_enable_ftp_server --> off
tftpd_disable_trans --> off
看到了嗎?allow_ftpd_anon_write --> off與allow_ftpd_full_access --> off,來enable它們吧!
[root@dns pub]# setsebool -P allow_ftpd_anon_write 1
[root@dns pub]# setsebool -P allow_ftpd_full_access 1

再試一次put檔案:
chiu-lawrencede-ibook-g4:~ Lawrence$ ftp 10.5.30.147
Connected to 10.5.30.147.
220 (vsFTPd 2.0.5)
Name (10.5.30.147:Lawrence): ftp
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd pub
250 Directory successfully changed.
ftp> put backup.sh
local: backup.sh remote: backup.sh
229 Entering Extended Passive Mode (|||50580|)
150 Ok to send data.
100% |***********************************************************************************| 666 1.92 MB/s 00:00
226 File receive OK.
666 bytes sent in 00:00 (1.62 KB/s)
ftp> put backup.sh
local: backup.sh remote: backup.sh
229 Entering Extended Passive Mode (|||37711|)
150 Ok to send data.
100% |***********************************************************************************| 666 2.76 MB/s 00:00
226 File receive OK.
666 bytes sent in 00:00 (2.92 KB/s)
ftp>

完成。

Thursday, March 13, 2008

RHEL5 群組管理員

這是以前沒有的觀念,故在此做個筆記:

Objective: 讓一般user可以控管(新增/刪除)群組的成員

Environment:
law -> g1 group的群組管理員
g1 -> 測試用的group
alex -> 將被law assign到g1 group
/home/g1 -> g1 group的共用目錄,權限為770

Setup1. 將law設定為g1群組管理員:
[root@server3 home]# gpasswd -A law g1
[root@server3 home]# grep law /etc/gshadow
law:!::
g1:!:law:
(可在/etc/gshadow中,每個群組的第三個欄位查詢群組管理員

Setup2. 將alex加讓到g1 group:
[law@server3 ~]$ id alex
uid=502(alex) gid=503(alex) groups=503(alex)
[law@server3 ~]$ gpasswd -a alex g1
Adding user alex to group g1
[law@server3 ~]$ id alex
uid=502(alex) gid=503(alex) groups=503(alex),502(g1)

Setup3. 驗證一下alex可至/home/g1 建立檔案:
[alex@server3 home]$ ls -dl /home/g1/
drwxrwx--- 2 root g1 4096 Oct 21 05:06 /home/g1/
[alex@server3 home]$ cd g1
[alex@server3 g1]$ touch alex
[alex@server3 g1]$ ls -l alex
-rw-rw-r-- 1 alex alex 0 Oct 21 05:13 alex

Friday, March 07, 2008

RHEL5 系統管理寶典 基礎篇

最近獲贈永昇兄(Cd Chen)的近期新作"RHEL5 系統管理寶典 基礎篇",在此非常感謝永昇兄,這本新書算是永昇兄對於Redhat Linux系統管理介紹的第二版,因為撰寫第一版時有些原因,故以Fedora來介紹,難免有些遺憾,如今這本新作完全是以RHEL5來介紹,內容與前版相比也更新了許多,是非常值得有心學習Linux系統管理的讀者可參考的一本書物,如果有上過RHCE培訓課程的學生,這本書就等於是RH133的中文參考書,帽客當然不是在打廣告,而是好東西一定要推薦給大家知道,帽客這幾天也開始拜讀這本書了,雖然大部份的知識都知道,但真正的了解應該是: 懂->很懂->精通->分享&教導,所以帽客每次看不同的Linux書物時,都會有不同的收穫。